Failed authorization procedure 20170111

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:./certbot-auto --apache certonly

It produced this output:

 Performing the following challenges:
tls-sni-01 challenge for
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to for TLS-SNI-01 challenge

My operating system is (include version):
debian 7.11
My web server is (include version):
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): y
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): n

apache2ctl configtest returns OK rates the site A

DNS is properly configured both forward and reverse

dig	86400	IN	A

dig -x 86400 IN	PTR

but the debug log shows:

  "identifier": {
    "type": "dns",
    "value": ""
  "status": "invalid",

this is the only clue I have that the LE server is unhappy but I have no idea why

That’s kinda weird, I can connect succesfully from my end too (The Netherlands).

Perhaps some firewall issue on your end with selective blocking of certain IP’s?

oh yeah I forgot. Since this is our public web server the firewall allows inbound 80 and 443 from the world. And the DNS server allows TCP and UDP 53 from the world.

Perhaps this incident has something to do with it:

The outage is over, and no change

This inability to solve this is an unfortunate show stopper. I have to get a $$ cert in a few days

@cpu, any ideas about the source of this error on the LE side? … if the ACME error message is being echoed correctly it sounds like it’s not actually DNS-related.

1 Like

@schoen The error being reported is accurate. From our end the only additional information I can add is that the connection wasn’t refused, but timed out.

Could this be a certbot configuration issue? How does ./certbot-auto --apache certonly provision the TLS-SNI-01 challenge setup when there is already an existing HTTPS configuration on 443 as in this case?

Can you guys from LE actually traceroute to that address?

Edit: UDP seems blocked. ICMP works.

# traceroute -I -f 6
traceroute to (, 30 hops max, 60 byte packets
 6 (  219.972 ms  219.920 ms  219.909 ms
 7 (  182.663 ms  182.641 ms  182.638 ms
 8 (  189.602 ms  189.590 ms  189.792 ms
 9 (  186.327 ms  186.317 ms  186.434 ms
10 (  182.424 ms  182.415 ms  182.402 ms
11 (  192.197 ms  190.847 ms  190.796 ms
12 (  187.387 ms  187.358 ms  187.442 ms

Thats an interesting question, just how IS that supposed to work. Is my apache server supposed to be off when I’m doing this ?

did the test, apache needs to be running already

Since you’re using certonly mode anyway, it might be worth trying the webroot plugin. If the webroot plugin works, it would rule out network issues (unless they’re specific to port 443), and would point towards an issue with the temporary apache configuration change certbot uses to validate domain ownership or something like that. The command for webroot would look roughly like this (note that you’ll have to explicitly provide the domains with this plugin, certbot won’t read them from your apache configuration):

certbot-auto certonly --webroot -w /var/www/html -d -d

/var/www/html should point to the directory your DocumentRoot directive is pointing to.

If that one fails with a network-related error as well, you’re probably looking at a network issue somewhere between you and all the network hops to Let’s Encrypt. These tend to be close to impossible to debug from your end.

1 Like

I asked our operations team to try and rule this possibility out but it would be great if we could rule out other more mundane possibilities in parallel!

Thanks @pfg

1 Like

webroot worked! Thanks. It looks like it was a good idea to run it in in certonly mode if it silently had problems with the apache configuration

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.